- We have learned the three common permissions of r (read), w (write) and x (execute), but when we query the system file permissions, we find that some other permission letters appear, such as:
ll /usr/bin/passwd -rwsr-xr-x. 1 root root 27832 Jun 10 2014 /usr/bin/passwd ▲ #When a normal user -- > executes the -- > passwd command. #1. Because the passwd command has suid special permission (there is an s in the command ownership limit), #2. During the execution of the command, the command will be run as the owner of the command. < root
- Ordinary user -- > passwd -- > the command belongs to the primary identity root running -- > depends on the root identity -- > changes / etc/shadow password information
By default, all ordinary users cannot view / etc/shadow. Is there any way to enable all ordinary users to view / etc/shadow.
su - xu #Switch to normal user Last login: Sat Mar 14 00:54:53 CST 2020 on pts/0 $ cat /etc/shadow #Ordinary user can't cat this file cat: /etc/shadow: Permission denied ll /usr/bin/cat #View cat command permissions -rwxr-xr-x. 1 root root 54160 Oct 31 2018 /usr/bin/cat chmod 4755 /usr/bin/cat #Give special permission SUID to cat command #Or chmod u+s /usr/bin/cat ll /usr/bin/cat #View cat command permissions -rwsr-xr-x. 1 root root 54160 Oct 31 2018 /usr/bin/cat ▲ $ cat /etc/shadow #Use common user cat again root:$6$z/ZkRi2of/59HbsT$pfSdItKyuq5/R6u0t4CzhapdU32fGc9d7Vxy6AKfJnU758IuBc/q4sIgY6w2aQHj6cE60GQbHLjx7.JiRl2/x0::0:99999:7::: bin:*:17834:0:99999:7::: daemon:*:17834:0:99999:7:::
Representation: an S (execution permission) s (no execution permission) is displayed on the group permission of the file
When a normal user executes the passwd command.
1. Because the passwd command has SGID special permission (there is an s in the command group permission bit),
2. During the execution of the command, the command will be run as a "group" of the command. Group root
File: ordinary user -- > passwd -- > the command belongs to group identity root is running -- > rely on root group identity -- > change / etc/shadow password information
Directory: after setting the directory to sgid, if files are created in the directory, they will be consistent with the group to which the directory belongs
suid runs the command program with the help of "owner"
sgid runs the command program with the help of the identity of "group"
The application is:
ll /usr/bin/cat -rwxr-xr-x. 1 root root 54160 Oct 31 2018 /usr/bin/cat chmod 2755 /usr/bin/cat #Or chmod u+s /usr/bin/cat ll /usr/bin/cat -rwxr-sr-x. 1 root root 54160 Oct 31 2018 /usr/bin/cat ▲
- sgid function:
Using sgid makes it easy for multiple users to share all files in a directory.
- For directories:
Once the directory is given a sticky position, except root, all files can be deleted. Even if ordinary users have w permission to the directory, they can only delete files created by themselves, but not files created by other users.
chmod 1755 /usr/bin/cat #Or chmod o+t /usr/bin/cat ll /usr/bin/cat -rwxr-xr-t. 1 root root 54160 Oct 31 2018 /usr/bin/cat ▲
- Permissions related
1. I want to create a file and it is not allowed to be deleted. Not even root.
2. I hope this file can only add data to it.
The chattr command can be used only by the root user to modify the permission attribute of the file system and establish the authorization over the rwx basic permission.
- chatrr + [+ - =] option + file or directory name
Option: +: add permission
-: reduce permissions
=: equal to a permission
a: Make files or directories appendable only
i: Do not change files or directories at will
- Example: to configure a file, you can't change it, you can only append it, you can't delete it
touch file #create a file lsattr file #Query file system properties ---------------- file chattr +a file #Assign special attributes to documents lsattr file #Query file system properties -----a---------- file vim file #Manual edit (failed) echo '123' >>file #Append text (success) cat file 123 rm -f file #Delete file (failed) rm: cannot remove 'file': Operation not permitted, #If you want to delete a file, you need to use root identity, cancel the attribute first, and then delete it
1. Why is the file permission created by default in the system 644 directory 755
2. Why create a normal user by default, whose home directory permission is 700
By default, the system specifies the permissions. Directory 777 file 666. Why are the created files and directories neither 777 nor 666?
Because UMASK is controlled, for example, UMASK is set to 0022
So the final files and directories created are
The default permission to create the home directory of ordinary users.
vim /etc/login.defs UMASK 077 #When creating a user, the UMASK set to 077 #777-077=700 ll -d /home/u1 drwx------. 3 u1 grp1 78 Mar 13 01:30 /home/u1 #If I want to create a directory with permissions of 755, set UMASK to 022 in / etc/login.defs
- By default, the file permissions created by root are different from those created by ordinary users:
- File created by root, the default is 644
- Files created by ordinary users, the default is 664
When a user logs in to the system, he will load some environment variables to initialize our working directory. (/etc/profile)
vim /etc/profile if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then umask 002 else umask 022 fi # Root: 0. Since your UID is not greater than 199, initialize your UMASK to 022 #Normal user: 1000 UID is greater than 199, and the group name is the same as the user name, so if the condition is true, UMASK is initialized to 002 #The default permissions of files and directories are given to UMASK. UMASK is set separately by a formula in / etc/profile when users log in to the system.
When all bits of umask are even
mkdir d044 directory permissions are 777 - 044 = 733
The file permission of touch f044 is 666 - 044 = 622
When umask part bits are odd
mkdir d023 directory permissions are 777 - 023 = 754
The file permission of touch f023 is 666 - 023 = 643 + 001 = 644
When umask part bits are odd
mkdir d032 directory permission is 777 - 032 = 745
The file permission of touch f032 is 666 - 032 = 634 + 010 = 644
When all bits of umask value are odd
mkdir d035 directory permissions are 777 - 035 = 742
The file permission of touch f035 is 666 - 035 = 631 + 011 = 642